CVE-2025-6755: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in gameusers Game Users Share Buttons
The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.
AI Analysis
Technical Summary
CVE-2025-6755 is a critical security vulnerability identified in the Game Users Share Buttons plugin for WordPress, affecting all versions up to and including 1.3.0. The vulnerability is classified as CWE-22, which refers to improper limitation of a pathname to a restricted directory, commonly known as a path traversal vulnerability. The root cause lies in insufficient validation of file paths within the ajaxDeleteTheme() function. Specifically, the plugin fails to properly sanitize the themeNameId parameter in AJAX requests, allowing an attacker with Subscriber-level privileges to craft malicious requests containing arbitrary file paths such as '../../../../wp-config.php'. This can lead to arbitrary file deletion and potentially remote code execution (RCE) if critical files are deleted or manipulated. The vulnerability is remotely exploitable over the network without requiring user interaction, but it does require low-level privileges (Subscriber role) within the WordPress environment. The CVSS v3.1 score is 8.8 (high severity), reflecting the ease of exploitation combined with the significant impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the vulnerability poses a substantial risk due to the widespread use of WordPress and the plugin's capability to escalate a low-privilege user to execute arbitrary code or disrupt site operations. The lack of a patch at the time of publication further increases the urgency for mitigation.
Potential Impact
For European organizations, this vulnerability presents a serious threat, especially for those relying on WordPress-based websites for business operations, e-commerce, or public-facing services. Exploitation could lead to unauthorized deletion of critical files, including configuration files like wp-config.php, which may expose database credentials and other sensitive information. This can result in data breaches, website defacement, service downtime, and potential remote code execution, allowing attackers to gain further control over the web server and internal networks. Organizations in sectors such as finance, healthcare, government, and e-commerce are particularly at risk due to the sensitivity of their data and regulatory requirements like GDPR. The disruption caused by such an attack could lead to financial losses, reputational damage, and legal consequences. Additionally, the ability for a low-privilege user to exploit this vulnerability increases the attack surface, as attackers may compromise or create Subscriber accounts through phishing or other means to leverage this flaw.
Mitigation Recommendations
Given the absence of an official patch at the time of reporting, European organizations should implement immediate compensating controls. These include: 1) Restricting Subscriber-level account creation and monitoring for suspicious account activity to prevent unauthorized access. 2) Implementing web application firewalls (WAFs) with custom rules to detect and block malicious AJAX requests targeting the ajaxDeleteTheme() function or containing path traversal patterns in the themeNameId parameter. 3) Conducting regular file integrity monitoring to detect unauthorized file deletions or modifications, especially for critical files like wp-config.php. 4) Limiting file system permissions for the WordPress installation to prevent deletion or modification of sensitive files by the web server user. 5) Isolating WordPress instances in segmented network zones to reduce lateral movement if exploitation occurs. 6) Keeping all other WordPress plugins and core components updated to minimize the overall attack surface. Once an official patch is released, organizations must prioritize its deployment. Additionally, performing thorough audits of user roles and permissions and educating administrators about the risks of low-privilege account misuse will strengthen defenses.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-6755: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in gameusers Game Users Share Buttons
Description
The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.
AI-Powered Analysis
Technical Analysis
CVE-2025-6755 is a critical security vulnerability identified in the Game Users Share Buttons plugin for WordPress, affecting all versions up to and including 1.3.0. The vulnerability is classified as CWE-22, which refers to improper limitation of a pathname to a restricted directory, commonly known as a path traversal vulnerability. The root cause lies in insufficient validation of file paths within the ajaxDeleteTheme() function. Specifically, the plugin fails to properly sanitize the themeNameId parameter in AJAX requests, allowing an attacker with Subscriber-level privileges to craft malicious requests containing arbitrary file paths such as '../../../../wp-config.php'. This can lead to arbitrary file deletion and potentially remote code execution (RCE) if critical files are deleted or manipulated. The vulnerability is remotely exploitable over the network without requiring user interaction, but it does require low-level privileges (Subscriber role) within the WordPress environment. The CVSS v3.1 score is 8.8 (high severity), reflecting the ease of exploitation combined with the significant impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the vulnerability poses a substantial risk due to the widespread use of WordPress and the plugin's capability to escalate a low-privilege user to execute arbitrary code or disrupt site operations. The lack of a patch at the time of publication further increases the urgency for mitigation.
Potential Impact
For European organizations, this vulnerability presents a serious threat, especially for those relying on WordPress-based websites for business operations, e-commerce, or public-facing services. Exploitation could lead to unauthorized deletion of critical files, including configuration files like wp-config.php, which may expose database credentials and other sensitive information. This can result in data breaches, website defacement, service downtime, and potential remote code execution, allowing attackers to gain further control over the web server and internal networks. Organizations in sectors such as finance, healthcare, government, and e-commerce are particularly at risk due to the sensitivity of their data and regulatory requirements like GDPR. The disruption caused by such an attack could lead to financial losses, reputational damage, and legal consequences. Additionally, the ability for a low-privilege user to exploit this vulnerability increases the attack surface, as attackers may compromise or create Subscriber accounts through phishing or other means to leverage this flaw.
Mitigation Recommendations
Given the absence of an official patch at the time of reporting, European organizations should implement immediate compensating controls. These include: 1) Restricting Subscriber-level account creation and monitoring for suspicious account activity to prevent unauthorized access. 2) Implementing web application firewalls (WAFs) with custom rules to detect and block malicious AJAX requests targeting the ajaxDeleteTheme() function or containing path traversal patterns in the themeNameId parameter. 3) Conducting regular file integrity monitoring to detect unauthorized file deletions or modifications, especially for critical files like wp-config.php. 4) Limiting file system permissions for the WordPress installation to prevent deletion or modification of sensitive files by the web server user. 5) Isolating WordPress instances in segmented network zones to reduce lateral movement if exploitation occurs. 6) Keeping all other WordPress plugins and core components updated to minimize the overall attack surface. Once an official patch is released, organizations must prioritize its deployment. Additionally, performing thorough audits of user roles and permissions and educating administrators about the risks of low-privilege account misuse will strengthen defenses.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-26T22:17:54.592Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 685f80106f40f0eb726abc16
Added to database: 6/28/2025, 5:39:28 AM
Last enriched: 6/28/2025, 5:54:26 AM
Last updated: 7/1/2025, 1:27:15 AM
Views: 21
Related Threats
CVE-2025-27023: CWE-20 Improper Input Validation in Infinera G42
MediumCVE-2025-27022: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Infinera G42
HighCVE-2025-27021: Vulnerability in Infinera G42
HighCVE-2025-24335: Vulnerability in Nokia Nokia Single RAN
MediumCVE-2025-24334: Vulnerability in Nokia Nokia Single RAN
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.